From c16ba4fbdb36445d5198b891404bfd675d59de17 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Fri, 7 Jun 2024 23:27:36 -0500 Subject: [PATCH] chore: add dependabot config - [x] add dependabot config - group dependency updates when minor/patch to reduce PRs - keep major dependency updates separate for visibility and testing - [x] change workflow actions to SHAs instead of tags to secure supply chain - tags are mutable and malicious code could be injected, SHAs are immutable Signed-off-by: jmeridth --- .github/dependabot.yaml | 26 ++++++++++++++++++++ .github/workflows/ci.yml | 45 ++++++++++++++++------------------- .github/workflows/release.yml | 8 +++---- 3 files changed, 50 insertions(+), 29 deletions(-) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..18a7e46 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,26 @@ +version: 2 +updates: + - package-ecosystem: "bundler" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore(deps)" + groups: + dependencies: + applies-to: version-updates + update-types: + - "minor" + - "patch" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore(deps)" + groups: + dependencies: + applies-to: version-updates + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a4812a..aa82bd1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,5 @@ name: CI - on: [push, pull_request] - jobs: build: name: Test on Ruby ${{ matrix.ruby_version }}, Rails ${{ matrix.rails_version }}, graphql-ruby ${{ matrix.graphql_version }} @@ -26,29 +24,28 @@ jobs: - "~> 7.0.0" - "~> 7.1.0" steps: - - uses: actions/checkout@v4 - - name: Set up Ruby ${{ matrix.ruby_version }} - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby_version }} - - name: Build and test - run: | - bundle install --jobs 4 --retry 3 - bundle exec rake test - env: - RAILS_VERSION: ${{ matrix.rails_version }} - GRAPHQL_VERSION: ${{ matrix.graphql_version }} - + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - name: Set up Ruby ${{ matrix.ruby_version }} + uses: ruby/setup-ruby@d5fb7a202fc07872cb44f00ba8e6197b70cb0c55 # v1 + with: + ruby-version: ${{ matrix.ruby_version }} + - name: Build and test + run: | + bundle install --jobs 4 --retry 3 + bundle exec rake test + env: + RAILS_VERSION: ${{ matrix.rails_version }} + GRAPHQL_VERSION: ${{ matrix.graphql_version }} rubocop: name: Rubocop runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: 3.2 - - name: Build and test - run: | - bundle install --jobs 4 --retry 3 - bundle exec rake rubocop \ No newline at end of file + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - name: Set up Ruby + uses: ruby/setup-ruby@d5fb7a202fc07872cb44f00ba8e6197b70cb0c55 # v1 + with: + ruby-version: 3.2 + - name: Build and test + run: |- + bundle install --jobs 4 --retry 3 + bundle exec rake rubocop diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4bbfb3d..ebbcf6c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,10 +1,8 @@ name: Release - on: release: types: [published] workflow_dispatch: - jobs: release: name: Release to RubyGems @@ -13,9 +11,9 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: ruby/setup-ruby@d5fb7a202fc07872cb44f00ba8e6197b70cb0c55 # v1 with: bundler-cache: true ruby-version: ruby - - uses: rubygems/release-gem@v1 + - uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1